Co-operative Life Planning's customer data published online

Software contractor did not have proper security measures in place

The Information Commissioner’s Office (ICO) has found Co-operative Life Planning in breach of the Data Protection Act after thousands of customers’ details were accidentally published online.

The breach occurred after a contractor failed to follow Co-operative Life Planning’s (CLP) security procedures, which led to the personal details 82,000 customers being exposed. The contractor has not been named.

CLP hired a software support contract to make two repairs to an electronic file containing personal information, such as names and addresses, of people who had paid into funeral insurance policies. Each time the repair was carried out, the contractor copied the data onto its servers.

In March 2011, the file was hacked into, and the data was then accidentally made available online.

“This case highlights the need for companies to ensure their contractors are following procedures on keeping customers’ personal information secure,” said acting head of enforcement at the ICO, Sally-Anne Poole.

However, Poole said that the ICO did not impose a financial penalty on CLP because the compromised information was “unlikely to cause substantial damage or distress”, and that its disclosure did not present a significant risk to the affected individuals.

“Co-operative Life Planning also had appropriate policies already in place around protecting personal information stored on their servers. Our focus has therefore been to make sure the organisation commits to making improvements to stop this from happening again,” she continued.

An investigation by the ICO found that the software support services provider was not authorised to copy the data from CLP’s servers, and that it had failed to delete the information once the file had been repaired.

CLP did not have the measures in place to monitor the fact that the data had been transferred on these two separate occasions, and it was also not aware of the customer information being published online.

Ian Mackie, managing director of CLP, has signed an undertaking to ensure that the data loss prevention software already tested by the company will be implemented on all its servers. It will also test all future databases which are subject to maintenance to make sure that the data remains secure.